From Classical Extensional Higher-Order Tableau to Intuitionistic Intentional Natural Deduction

Chad E. Brown1 and Christine Rizkallah2

1 Saarland University, Saarbrücken, Germany [email protected] 2 Max-Planck-Institut für Informatik, Saarbrücken, Germany [email protected]

Abstract We deﬁne a translation that maps higher-order formulas provable in a classical extensional setting to semantically equivalent formulas provable in an intuitionistic intensional setting. For the classical extensional higher-order proof system we deﬁne a Henkin- complete tableau calculus. For the intuitionistic intensional higher-order proof system we give a natural deduction calculus. We prove that tableau provability of a formula implies provability of a translated formula in the natural deduction calculus. Implicit in this proof is a method for translating classical extensional tableau refutations into intuitionistic intensional natural deduction proofs.

1 Introduction

We describe a way of translating a simply-typed higher-order formula s into a semantically equivalent formula s0 such that if s is provable in a classical extensional higher-order tableau calculus, then s0 is provable in an intuitionistic intentional higher-order natural deduction calculus. A potential application of such a translation is mapping refutations found by a classical extensional tableau-based automated theorem prover like Satallax [4] to corresponding proof terms in an intuitionistic intensional natural deduction based system like Coq [15, 3]. The problem of translating classical logic into intuitionistic logic has a long history. A result by Glivenko [11] states that if s is a propositional tautology, then ¬¬s is intuitionistically provable. This result does not hold for first-order formulas. Kuroda [14] showed a similar result if one translates by double negating the formula and adding double negations to the bodies of universal quantifiers. We recently proved that the Kuroda translation generalizes to give a translation from classical intentional higher-order logic to intuitionistic intentional higher order logic [5]. The generalized Kuroda translation does not suffice in the presence of functional extensionality, for an example see [5]. The work of Gandy [9] provides a method to translate from a higher-order logic with extensionality into a higher-order logic without extensionality. The translation we give in this paper uses ideas similar to those of Kuroda and Gandy to deal with both issues at once. The Gandy translation translates equality with the help of a binary relation and a predicate that are defined by mutual recursion. Our translation is simpler in that it translates equality with the help of a single binary relation that is defined inductively on types. Many logical systems of quite different character are commonly referred to as higher-order logics. Some forms of higher-order logic allow classical reasoning while others only allow intuitionistic reasoning. For example, formulas such as ∀p.p ∨ ¬p and ∀p.¬¬p → p are provable if and only if the higher-order logic is classical. Likewise, some forms of higher-order logic allow extensional reasoning while others do not. Formulas such as ∀fg.(∀x.fx = gx) → f = g

J.C. Blanchette, J. Urban (eds.), PxTP 2013 (EPiC Series, vol. 14), pp. 27–42 27 From Classical Extensional to Intuitionistic Intentional C. E. Brown, C. Rizkallah and ∀pq.(p → q) ∧ (q → p) → p = q are provable if the higher-order logic is extensional and are not provable otherwise. The formula (λx.¬¬x) = (λx.x) is only provable if the logic is both classical and extensional. The extensionality properties can be factored into propositional extensionality (i.e., boolean extensionality) and functional extensionality (which can itself be factored into extensionality properties η and ξ) [1]. In this paper we consider a tableau system with full extensionality and a natural deduction system with no extensionality. Many automated and interactive theorem provers (e.g., Isabelle/HOL [16], LEO-II [2] and Satallax [4]) are based on classical extensional versions of higher-order logic. Automated and interactive theorem provers are used to create proofs, while the task of a proof checker is checking the correctness of proofs. In order to check a proof, the proof must be represented as an explicit object. A well-known way of representing proofs is via the Curry-Howard-de Bruijn correspondence [13, 8]: a natural deduction proof of P can be encoded as a λ-term of type P . It is easy to write a natural deduction system for higher-order logic for which one can obtain proof terms in an obvious way. However, this creates a natural deduction system which is intuitionistic (not classical) and intentional (not extensional). One way to resolve this mismatch is to add classical extensional axioms to the natural deduction system. Currently, Satallax produces Coq proof terms under the assumption that one has added such axioms to Coq [20]. Using the ideas in this paper, one can avoid assuming such axioms in Coq and still produce Coq proof terms from Satallax refutations (unless Satallax makes use of a choice operator). The basic deﬁnitions and lemmas used in the translation have all been formalized and proven in Coq, as described in [18, 19]. However, there is currently no implementation of the translation as a whole. In particular, Satallax has not yet been extended to produce Coq proof terms using these deﬁnitions and lemmas. Since the translation changes the formula, a Coq user could not typically call a classical extensional theorem prover like Satallax to request a proof term for an arbitrary formula in Coq. On the other hand, one could use the translation to automatically create a Coq development from a development in a classical extensional simple type theory. The rest of the paper is organized as follows. In Section 2 we give a brief overview of simply typed λ-calculus and in Section 3 we introduce a tableau calculus T . We then present the targeted natural deduction calculus N in Section 4. In Section 5 we present our translation. We prove that it maps T -refutable branches to N -refutable contexts in Section 6. We conclude in Section 7 and provide suggestions for future work. More details about the translation in this paper and other translations can be found in the Master’s thesis of one of the authors [18].

2 Simply Typed Lambda Calculus

2.1 Syntax

We describe simply typed λ-calculus in the style of Church [7]. The set of types T is given inductively: o and ι are types and στ is a type whenever σ and τ are types. The types o (the type of propositions) and ι (the type of individuals) are called base types. Types of the form στ are called function types. Often the function type στ is written as σ → τ, but we use the shorter notation since there are only base types and function types. We use σ and τ to range over types. For each type σ, let Nσ be an inﬁnite set of names of type σ. Some of the names are logical constants:

28 From Classical Extensional to Intuitionistic Intentional C. E. Brown, C. Rizkallah

•> and ⊥ are (distinct) logical constants in No.

•∧ , ∨, and → are (distinct) logical constants in Nooo. σ • For each σ, = is a logical constant in Nσσo. σ σ • For each σ, ∀ and ∃ are (distinct) logical constants in N(σo)o.

The remaining names are variables . Let Cσ be the set of logical constants of type σ and Vσ be S S S the (infinite) set of all variables of type σ. Let N = σ Nσ, C = σ Cσ and V = σ Vσ. 0 C0 For any C ⊆ C we define a family of sets of terms Λσ for each type σ by induction. C0 • For every x ∈ Vσ, x ∈ Λσ . 0 C0 • For every c ∈ Cσ ∩ C , c ∈ Λσ . C0 C0 • For every x ∈ Vσ and s ∈ Λτ , (λx.s) ∈ Λστ . C0 C0 C0 • For every s ∈ Λστ and t ∈ Λσ , (st) ∈ Λτ . C0 We defined Λσ relative to a set of logical constants. There are two particular sets of logical constants of interest in this paper: the full set C of logical constants and the set C− := {→, ∀σ|σ is a type}.

C − C− C0 To simplify notation, we define Λσ to be Λσ and Λσ to be Λσ . Note that Λσ ⊆ Λσ for any 0 S C ⊆ C. An element of Λσ is called a term of type σ.A term is an element of σ Λσ. Terms of the form (λx.s) are called λ-abstractions. Terms of the form (st) are called applications.A formula is a term of type o. We write ¬s for ((→ s)⊥). We write stu for (st)u, except that ¬st means ¬(st). We use the infix notations s ∧ t, s ∨ t, s → t and s =σ t as shorthand for ∧st, ∨st, → st and =σ st, respectively. We also write s 6=σ t for ¬(s =σ t). Using infix notation note that ¬s is the same term as s → ⊥. We sometimes write ∀x : σ.s and ∃x : σ.s for ∀σ(λx.s) and ∃σ(λx.s), respectively. We may also omit the type entirely from a quantified formula, equation or disequation and write ∀x.s, ∃x.s, s = t or s 6= t when the types are clear from the context. If s is a term, x ∈ Nσ and t is a term of type σ, then s[x := t] is defined to be the result of substituting t for x in s via a capture-avoiding substitution. A simultaneous substitution θ substitutes several variables simultaneously. We use the notation θ, [x := t] to mean the simultaneous substitution that agrees with θ on all variables except (possibly) x which is mapped to t. A term of the form (λx.s)t is called a β-redex with β-reduct s[x := t]. We say s β-reduces to t (and write s →β t) if a subterm of s is a β-redex such that t is the result of replacing this subterm by its β-reduct. We define s ∼β t to be the least equivalence relation containing →β. When s ∼β t holds, we say s and t are β-equivalent. A term is β-normal if it has no β-redexes. It is well-known that β-reduction is confluent and terminates on simply typed terms. Hence for every s ∈ Λσ there is a β-normal form of s which is unique (up to names of bound variables). We write dseβ to denote the β-normal form of s. The set of free variables of a term, written FV , is defined as follows. FV (x) := {x} FV (s t) := FV (s) ∪ FV (t) FV (λx.s) := FV (s) − {x} A term s is ground if FV (s) = ∅. The set of free variables of a set of terms B is defined as S FV (B) := s∈B FV (s).

29 From Classical Extensional to Intuitionistic Intentional C. E. Brown, C. Rizkallah

2.2 Semantics Henkin proved completeness of a form of Church’s simple theory of types [7] relative to a semantics now known as Henkin semantics [12]. We briefly describe Henkin semantics. The interested reader may find more details of a similar presentation in [6]. A frame is a function D defined on T such that D(o) = {0, 1}, ∀σ ∈ T : D(σ) 6= ∅ and ∀σ, τ ∈ T : D(στ) ⊆ {f | f : D(σ) → D(τ)}. An assignment into a frame D is a function I defined on T ∪ V such that I(x) ∈ D(σ) for all types σ and variables x : σ. Let I be an x assignment into a frame D, x : σ be a variable and a ∈ D(σ). We write Ia to denote the assignment into D that agrees everywhere with I except possibly on x where it yields a. We define a partial evaluation function b that maps assignments I and terms s ∈ Λσ possibly to values Iˆ(s) in D(σ) as follows: 1. Iˆ(x) := I(x) 2. Iˆ(c) := f if c : σ, f ∈ D(σ) and f has the usual classical meaning of c 3. Iˆ(s t) := Iˆ(s)(Iˆ(t))

ˆ x 4. I(λx.s) := f if λx.s : στ, f ∈ D(στ) and ∀a ∈ D(σ): Ica(s) = fa Note that Iˆ is a partial function from typed terms into the frame. An interpretation is a pair (D, I) where D is a frame, I is an assignment into D and Iˆ is a total function, i.e., Iˆs is defined for every s ∈ Λσ. We write Interp for the set of all interpretations. A formula is a term of type o. We say an interpretation (D, I) satisfies a formula s if Iˆ(s) = 1. A set A of formulas is satisfiable if there is an interpretation (D, I) simultaneously satisfying all the formulas in A. Otherwise, we say A is unsatisfiable. We say two terms s, t ∈ Λσ are semantically equivalent (written s ≈ t) if Iˆs = Iˆt for all interpretations (D, I).

3 Tableau Calculus T

We brieﬂy describe a tableau calculus for classical extensional higher-order logic which is complete relative to Henkin semantics. A similar tableau calculus is presented and proven complete in [6]. The calculus in [6] only uses the logical constants =σ and ¬ while here we include many more logical constants. Also, we include rules such as Cut and DeMorgan which are not needed for completeness. We include these rules because they are sound relative to Henkin semantics and the translation we give later is able to handle the extra rules. A branch is a set of β-normal formulas. A step is an n + 1-tuple hA1,...,An,Ai of branches with n ≥ 0. Given a set of steps T , one can inductively deﬁne the set of branches which are T -refutable as follows: If hA1,...,An,Ai ∈ T and Ai is T -refutable for i ∈ {1, . . . , n}, then A is T -refutable. A rule is a set of steps. The rules are presented in the form

C RuleName B1 ··· Bn to indicate the set of steps of the form hA1,...,An,Ai where C ⊆ A and Ai = A ∪ Bi for each i ∈ {1, . . . , n}. There are also sometimes side conditions on the branch A. For example if we say a variable y must be fresh in a rule, this means that for the step hA1,...,An,Ai to be in the rule there is the additional requirement that y∈ / FV (A). In most cases C is a singleton set {s} and in the remaining cases C is either empty (e.g, Cut) or contains two formulas (e.g., Mat).

30 From Classical Extensional to Intuitionistic Intentional C. E. Brown, C. Rizkallah

Definition 3.1 (Tableau Calculus T ). We define the tableau calculus T as the union of the rules in Figure 1. This also defines the corresponding notion of T -refutability. We say a formula s is T -refutable if the branch {dseβ} is T -refutable. We say a formula s is T -provable if the formula ¬dseβ is T -refutable.

⊥ ¬> s, ¬s s 6= s Closed⊥ Closed¬> Closed Closed 6=

(s = t), (t 6= s) ¬¬s s ∧ t s ∨ t ClosedSym Cut Dneg And Or s ¬s s s, t s t s → t ¬(s ∧ t) ¬(s ∨ t) ¬(s → t) Imp NegAnd NegOr NegImp ¬s t ¬s ¬t ¬s, ¬t s, ¬t ∀s ¬∀s ∃s Forall DeMorgan∀ x∈ / FV (s) Exists y is fresh ds teβ ∃x.¬ds xeβ ds yeβ ¬∃s s =o t s 6=o t DeMorgan∃ x∈ / FV (s) Bool = BoolExt ∀x.¬ds xeβ s, t ¬s, ¬t s, ¬t t, ¬s στ στ s1 = s2 s 6= t x s1 . . . sn, ¬x t1 . . . tn Func = FuncExt x is fresh Mat τ β τ β ds1 t = s2 te ds x 6= t xe s1 6= t1 ... sn 6= tn ι ι ι x s1 . . . sn 6= x t1 . . . tn s1 = t1, s2 6= t2 Dec Con s1 6= t1 ... sn 6= tn s1 6= s2, t1 6= s2 s1 6= t2, t1 6= t2

Figure 1: Tableau rules used to deﬁne the tableau calculus T

Many variations of the tableau rules are possible. For example, instead of the rule

¬∃s DeMorgan∃ x∈ / FV (s) ∀x.¬ds xeβ we could have an alternative rule

¬∃s Neg∃ x is fresh. ¬ds xeβ

Note that if we use Neg∃, then x must be fresh rather than the weaker requirement x∈ / FV (s) in DeMorgan∃. By using the DeMorgan∃ version, there is one fewer rule for which the freshness condition needs to be taken care of later. One could similarly modify the rule FuncExt so that the only rule with a freshness condition would be Exists. In this paper the form of the tableau rules are chosen to match those considered in [18]. We brieﬂy consider two examples of T -provable formulas.

Example 3.2. Let p be a variable of type o. We show the formula p 6= ¬p is T -provable, i.e., the branch A0 := {p 6= ¬p} is T -refutable. The branch A0 is T -refutable because of the NegOr rule and the fact that A1 := A0 ∪ {p, ¬¬¬p} and A2 := A0 ∪ {¬p, ¬¬p} are T -refutable. We know A2 is T -refutable using the Closed rule. We know A1 is T -refutable using the Dneg and

31 From Classical Extensional to Intuitionistic Intentional C. E. Brown, C. Rizkallah

Closed rules. The reason we call this a tableau refutation is that one can display the refutation as a picture we refer to as a tableau. For this example the following is the corresponding tableau: p 6=o ¬p p ¬p ¬¬¬p ¬¬p ¬p Example 3.3. Let p be a variable of type o. The formula (λp.¬¬p) =oo (λp.p) is T -provable. In this case we simply show the tableau and note that the steps are justiﬁed by the FuncExt, BoolExt, Dneg and Closed rules. (λp.¬¬p) 6= (λp.p) (¬¬p) 6= p ¬¬¬p ¬¬p p ¬p ¬p

4 Natural Deduction Calculus N

− We now present a natural deduction calculus for formulas in Λo . That is, we only consider formulas that use the logical constants → and ∀σ. Such calculi were introduced by Gentzen in 1935 [10] and studied further by Prawitz [17]. − A context Γ is a ﬁnite subset of Λo . Γ `N s holds when derivable using the rules in Figure 2.

Note that if for some context Γ and some formula s we are given a derivation of Γ `N s that uses the wk rule, we can construct a derivation of Γ `N s that does not use the wk rule. This follows from how the hy rule is stated. We only add the wk rule for convenience.

0 t ∈ Γ Γ `N s Γ `N t 0 hy β s ∼β t wk Γ ⊆ Γ Γ `N t Γ `N t Γ `N t

Γ ` t Γ, s ` t ∀I N x∈ / FV (Γ) → I N Γ `N ∀x.t Γ `N s → t Γ ` ∀x.s Γ ` s → t Γ ` s ∀E N → E N N Γ `N s[x := t] Γ `N t

Figure 2: Rules in our ND calculus N

− We write `N s for ∅ `N s. We say a formula s ∈ Λo is N -provable if `N s. We say a context o − Γ is N -refutable if Γ `N ∀ p.p. Likewise, a formula s ∈ Λo is N -refutable if the context {s} is N -refutable.

Example 4.1. Let x, y, p and q be variables with x, y ∈ Vι and p, q ∈ Vιo. We use the following diagram to show that the formula (∀p.px → py) → qy → qx is N -provable.

hy hy {∀p.px → py} ` ∀p.px → py {qx} ` qx ∀E N → I N {∀p.px → py} ` (λy.qy → qx)x → (λy.qy → qx)y ` qx → qx β N wk N {∀p.px → py} ` (qx → qx) → (qy → qx) {∀p.px → py} ` qx → qx → E N N {∀p.px → py} ` qy → qx → I N `N (∀p.px → py) → qy → qx

32 From Classical Extensional to Intuitionistic Intentional C. E. Brown, C. Rizkallah

5 Translating Terms, Formulas and Branches

In this section we introduce a meaning preserving translation that maps tableau refutable − formulas in Λo to N -refutable formulas in Λo . Since a tableau calculus operates on branches instead of formulas, we will also need to deﬁne a branch translation Ψ∗ that maps branches to contexts. We begin by considering the most important issue: the translation of logical constants. We − will associate with each logical constant c ∈ Cσ a term c˙ ∈ Λσ . For the propositional connectives we can use terms which are sometimes called the Russell-Prawitz deﬁnitions [17].

→˙ := λx.λy.x → y ⊥˙ := ∀p : o.p >˙ := ∀p : o.p → p ¬˙ := λx.x → ∀p : o.p ∧˙ := λx.λy.∀p : o.(x → y → p) → p ∨˙ := λx.λy.∀p : o.(x → p) → (y → p) → p

We also define ≡˙ to be λxy : o.(x → y)∧˙ (y → x), even though we do not have a logical constant ≡, since it will be useful below. We will define ˙=σ to be a term Rσ of type σσo. This term Rσ will also be used in the definitions of ∀˙ σ and ∃˙ σ. Since ˙=σ will be defined as Rσ, the meaning of Rσ in every (classical extensional) interpretation must be equality. A simple way to satisfy this constraint is to define Rσ to be Leibniz equality, i.e., λxy.∀q : σo.qx → qy, at each type σ. For each T -provable formula the translation should be N -provable. If Rιι and Rι were both Leibniz equality, then even though ∀fg : ιι.(∀x : ι.fx = gx) → f = g is clearly T -provable its translation would not be N -provable. This suggests that we should not define Rσ to be Leibniz equality for every type σ. Instead we will define Rσ to be Leibniz equality only when σ is the base type ι. We will define Ro to be logical equivalence (as expressed by ≡˙ ) and on function types we will use functional equivalence modified by a double negation.

σ − Deﬁnition 5.1. For every type σ we deﬁne inductively a term R in Λσσo as follows:

Ro = λx y.(x → y)∧˙ (y → x) Rι = λx y.∀q : ιo.q x → q y Rσ→τ = λf g.∀x y : σ.Rσ x y → ¬˙ ¬˙ Rτ (f x)(g y)

The term Rσ corresponds to a binary relation on type σ. We sometimes speak of Rσ as a relation rather than as a term. It will turn out that we cannot generally prove (in N ) that Rσ is reflexive. As a consequence, we must restrict the binders in the definitions of ∀˙ σ and ∃˙ σ to x satisfying Rσ x x. In terms of Henkin semantics, this will not make a difference since we will prove that Iˆ(Rσ) is equality on D(σ) in every interpretation (D, I). When considering provability of formulas in N , the restriction to x satisfying Rσ x x will be important. Now we define ˙=σ, ∀˙ σ, and ∃˙ σ as follows:

˙=σ := Rσ ∀˙ σ := λf.∀σx.Rσxx → ¬˙ ¬˙ fx ∃˙ σ := λf.∀op.(∀σx.Rσxx → fx → p) → p

33 From Classical Extensional to Intuitionistic Intentional C. E. Brown, C. Rizkallah

− Deﬁnition 5.2. We deﬁne our translation Ψ:Λσ → Λσ by recursion as follows. Ψx := x for variables x Ψst := (Ψs)(Ψt) Ψλx.s := λx.Ψs Ψc :=c ˙ for constants c

We call Ψ compositional because it respects application and λ-abstraction. As a simple consequence of compositionality, we know that Ψ preserves β-equivalence.

Lemma 5.3. If s and t are β-equivalent, then Ψs and Ψt are also β-equivalent.

σ We now prove Ψs ≈ s for all s ∈ Λσ. We ﬁrst prove that R behaves like equality.

Lemma 5.4. ∀σ ∈ T : ∀(D, I) ∈ Interp : ∀a, b ∈ D(σ):(Iˆ(Rσ) a b = 1) ⇐⇒ a = b Proof. We prove this lemma by induction on types. Let (D, I) be an arbitrary interpretation and let a and b be arbitrary elements in D(σ).

• Case σ = o: xy ˙ It is easy to check that Idab ((x → y)∧(y → x)) = 1 ⇐⇒ a = b. • Case σ = ι: We know Iˆ(Rι) a b = 1 ⇐⇒ a = b since Rι is Leibniz equality.

• Case σ = σ1σ2: We want to show Iˆ(Rσ1σ2 ) a b = 1 ⇐⇒ a = b.

σ1σ2 – Assume Iˆ(R ) a b = 1. We need to show a = b. Let c ∈ D(σ1) be given. We prove a(c) = b(c) as follows.

Iˆ(Rσ1σ2 ) a b = 1

dfg σ1 σ2 ⇐⇒ Iab (∀x y.R x y → ¬˙ ¬˙ R (f x)(g y)) = 1

\fgxy σ1 σ2 =⇒ Iabcc (R x y → ¬˙ ¬˙ R (f x)(g y)) = 1 ⇐⇒ (Iˆ(Rσ1 ) c c = 1 =⇒ Iˆ(Rσ2 )(a(c))(b(c)) = 1) ⇐⇒ (c = c =⇒ a(c) = b(c)) (IH) ⇐⇒ a(c) = b(c)

σ1 – Assume a = b. Let c, d ∈ D(σ1) be such that Iˆ(R ) c d = 1. We know c = d by the inductive hypothesis and so ac = bd. By the inductive hypothesis we have Iˆ(Rσ2 )(ac)(bd) = 1. Hence Iˆ(Rσ1σ2 ) a b = 1.

Lemma 5.5. For every interpretation (D, I) and every a in D(σ) we have I(Rσ) a a = 1.

Proof. Follows directly from Lemma 5.4.

Lemma 5.6. For every c ∈ Cσ, c˙ ≈ c.

34 From Classical Extensional to Intuitionistic Intentional C. E. Brown, C. Rizkallah

Proof. Let (D, I) be an interpretation. In order to prove Iˆ(c ˙) = Iˆ(c) it is enough to prove Iˆ(c ˙) has the usual classical meaning of c in I since at most one element of D(σ) can have this property. It is easy to check this for Iˆ(c ˙) when c ∈ {→, ⊥, >, ¬, ∧, ∨}. We know Iˆ( ˙=τ ) behaves like equality by Lemma 5.4. It remains to prove Iˆ(∀˙ τ ) and Iˆ(∃˙ τ ) behave like universal and existential quantiﬁcation. Let q ∈ D(τo) be given. We use Lemma 5.4 to obtain

Iˆ(∀˙ τ ) q = 1

f τ τ ⇐⇒ Icq (∀ x.(R xx) → ¬˙ ¬˙ fx) = 1

f τ ⇐⇒ Icq (∀ x.fx) = 1 ⇐⇒ qa = 1 for every a ∈ D(τ) and

Iˆ(∃˙ τ ) q = 1

f o σ σ ⇐⇒ Icq (∀ p.(∀ x.(R xx) → fx → p) → p) = 1

f o σ ⇐⇒ Icq (∀ p.(∀ x.fx → p) → p) = 1 ⇐⇒ qa = 1 for some a ∈ D(τ).

Theorem 5.7. For every s ∈ Λσ, Ψs ≈ s.

Proof. We argue by induction on s. If s is a variable, then the result is clear. If s is a logical constant, then the result follows by Lemma 5.6. Suppose s is tu. Let (D, I) be an interpretation. By inductive hypothesis Iˆ(Ψt) = Iˆ(t) and Iˆ(Ψu) = Iˆ(u). Hence Iˆ(Ψ(tu)) = Iˆ(tu). Finally, suppose s is λx.t of type σ1σ2 and let (D, I) be an interpretation. Let a ∈ D(σ1) x x be given. By the inductive hypothesis Ica(Ψt) = Ica(t). Generalizing over a, we conclude Iˆ(Ψt) = Iˆ(t).

Using Lemma 5.4 and Theorem 5.7 we easily obtain the following corollary.

Corollary 5.8. Let s be a formula such that FV (s) = {x1, . . . , xn}. We know

s ≈ (x1 ˙=x1 → · · · → xn ˙=xn → ¬˙ ¬˙ Ψs)

We now consider which properties of R are provable in N . In particular, Rσ is provably symmetric and transitive, i.e., a PER (partial equivalence relation). As we previously mentioned, we cannot generally prove Rσ is reﬂexive in N since N lacks extensionality, but we can prove that Rσ is reﬂexive when σ is o or ι. Proofs of the next two lemmas are straightforward and can be found as Coq proofs in [18, 19].

σ σ σ σ Lemma 5.9. For each type σ we have `N ∀ xyz.R xy → R yz → R xz. We also have σ σ σ `N ∀ xy.R xy → R yx.

σ σ Definition 5.10. A type σ is reflexive if `N ∀ x.R xx. Lemma 5.11. The types ι and o are reflexive.

35 From Classical Extensional to Intuitionistic Intentional C. E. Brown, C. Rizkallah

oo oo One can use the model constructed in Example 5.4 of [1] to demonstrate 6`N ∀ x.R xx oι oι and 6`N ∀ x.R xx. For more details see [18]. When translating tableau refutations we will sometimes need to consider a term t of type σ σ and need to know that Γ `N ¬˙ ¬˙ R (Ψt)(Ψt). One might try to prove this by a simple induction on t, but such an attempt will fail at the variable case. In general, we cannot prove σ σ Γ `N ¬˙ ¬˙ R x x. However, we are able to prove (see Theorem 5.15) Γ `N ¬˙ ¬˙ R (Ψt)(Ψt) σ under the assumption that Γ `N ¬˙ ¬˙ R x x for every x ∈ FV (t). Establishing Theorem 5.15 requires generalizing the result using simultaneous substitutions (Lemma 5.14). In some sense, Lemma 5.14 and Theorem 5.15 encapsulate a central reason why the translation works.

Lemma 5.12. For each c ∈ C we have `N Rc˙c˙. Proof. One must consider each case. Details are in [18].

στ σ τ Lemma 5.13. `N ∀fgxy.¬˙ ¬˙ R fg → ¬˙ ¬˙ R xy → ¬˙ ¬˙ R (fx)(gy) Proof. This is straightforward using the deﬁnition of Rστ .

Lemma 5.14. For all terms t, for all substitutions θ1, θ2 and, for all contexts Γ:

if ∀x ∈ FV (t):Γ `N R(θ1(x))(θ2(x)) then Γ `N ¬˙ ¬˙ R(θ1(Ψt))(θ2(Ψt)) Proof. We prove this lemma by structural induction on t. • If t is a variable, then the result holds by the assumption. • If t is a logical constant, then the result hold by Lemma 5.12.

• Suppose t is t1t2. By the inductive hypothesis we know Γ `N ¬˙ ¬˙ R(θ1(Ψt1))(θ2(Ψt1)) and

Γ `N ¬˙ ¬˙ R(θ1(Ψt2))(θ2(Ψt2)). Hence Γ `N ¬˙ ¬˙ R(θ1(Ψt1t2))(θ2(Ψt1t2)) by Lemma 5.13. • Suppose t is λx.t0. Renaming variables if necessary, we assume x is chosen to avoid capture 0 0 so that θ1(Ψt) = λx.(θ1(Ψt )) and θ2(Ψt) = λx.(θ2(Ψt )). It suﬃces to prove 0 0 Γ `N R(θ1(Ψλx.t ))(θ2(Ψλx.t )). 0 0 Let x1 and x2 be distinct fresh variables. Let Γ be Γ, (Rx1x2). For each i ∈ {1, 2} let θi be θi, [x := xi]. It is easy to see that we have 0 0 0 0 ∀y ∈ FV (t ):Γ `N R(θ1(y))(θ2(y)), because of the assumption about FV (t) and the fact that FV (t0) ⊆ FV (t) ∪ {x}. We 0 0 0 0 0 apply the inductive hypothesis to obtain Γ `N ¬˙ ¬˙ Rθ1(Ψt )θ2(Ψt ). Theorem 5.15. For all terms t, and for all contexts Γ:

if ∀x ∈ FV (t):Γ `N Rxx then Γ `N ¬˙ ¬˙ R(Ψt)(Ψt) Proof. Follows directly from Lemma 5.14 by using the identity substitution. We need to extend Ψ to map branches to contexts. The most obvious extension that just maps Ψ to all the formulas in the branch to obtain a context does not have the properties we βf oo want. Using the model M constructed in Example 5.4 of [1] one can prove 0N ¬˙ ¬˙ R xx. Consequently, the branch x 6=oo x is T -refutable but ¬˙ Ψ(x =oo x) is not N -refutable. In Definition 5.16 below we define a branch translation Ψ∗A which includes Rxx for each free variable x in A. Following the definition we give a detailed example to further illustrate why such extra formulas are desired.

36 From Classical Extensional to Intuitionistic Intentional C. E. Brown, C. Rizkallah

Deﬁnition 5.16 (The Branch Translation Ψ∗). The branch translation Ψ∗ maps a branch to a context as follows:

Ψ∗A := {Ψs|s ∈ A} ∪ {Rσx x|x : σ and x ∈ FV (A)}

Example 5.17. Consider the formula x 6=oo x. A tableau refutation of this formula starts with the branch {x 6=oo x}. This branch is directly T -refutable using the Closed6= rule. To mimic the Closed6= step in N we need to prove that Ψ∗{x 6=oo x} is N -refutable. If Ψ∗{x 6=oo x} were deﬁned as simply {Ψ(x 6=oo x)}, then it would not be N -refutable as mentioned above. Our deﬁnition of Ψ∗ maps the branch {x 6=oo x} to the context {¬˙ Ryy, Ryy} which is obviously N -refutable.

Example 5.18. We consider the translation of the formula (λp.¬¬p) = (λp.p) proven in Example 3.3.

Ψ((λp.¬¬p) = (λp.p)) is Roo(λp.¬˙ ¬˙ p)(λp.p) is ∀pq : o.(p≡˙ q → ¬˙ ¬˙ ((¬ ˙ ¬˙ p)≡˙ q)).

A consequence of the ﬁnal corollary in the next section is that the formula

¬˙ ¬∀˙ pq : o.(p≡˙ q → ¬˙ ¬˙ ((¬ ˙ ¬˙ p)≡˙ q)) is N -provable.

6 Translating Proofs

We prove that every T -refutable branch A maps to an N -refutable context Ψ∗A (see Theo- rem 6.14). Implicitly this gives a translation from tableau refutations to natural deduction refutations. One may attempt to prove this by an induction on the T -refutability of A, but a problem arises. Namely, a rule such as Forall may introduce a term t with free variables that prevent us from applying Theorem 5.15. In order to avoid this problem, we deﬁne a restricted 1 tableau calculus Tr. We prove that if A is T -refutable, then it is also Tr-refutable. We then ∗ prove that if a branch A is Tr-refutable, then Ψ A is N -refutable. Deﬁnition 6.1 (Admissible for a Branch). A term t is admissible for a branch A if for each variable x ∈ FV (t), either x ∈ FV (A) or x is of type ι or o.

Definition 6.2 (Tableau Calculus Tr). The tableau calculus Tr contains all the tableau rules that are in T (see Definition 3.1) except for Forall, Func=, and Cut, for which it contains restricted forms as shown in Figure 3. This also defines the corresponding notion of Tr-refutability.

In Proposition 6.7 below we prove that every T -refutable branch is Tr-refutable. The proof depends on a few simple lemmas.

0 0 Lemma 6.3 (Weakening). If a branch A is Tr-refutable, then every branch A such that A ⊆ A is Tr-refutable.

Proof. This is proven by induction on Tr-refutability, taking care to rename variables from the Exists and FuncExt rules so they remain fresh.

1 The proof of Lemma 6.11 will show how using Tr resolves the problem.

37 From Classical Extensional to Intuitionistic Intentional C. E. Brown, C. Rizkallah

∀s Forallr t is admissible for the branch Cutr s is admissible for the branch ds teβ s ¬s

στ s1 = s2 Func =r t is admissible for the branch τ β ds1 t = s2 te

Figure 3: Restricted Forall, Func=, and Cut Rules

σ Lemma 6.4. If ¬∃ x.x = x is in a branch A, then A is Tr-refutable.

σ Proof. Using DeMorgan∃ it suffices to prove A ∪ {∀ x.x 6= x} is Tr-refutable. The type σ has the form σ1 ··· σnα where α ∈ {o, ι}. Choose a variable y of type α and for each i ∈ {1, . . . , n} σ choose a variable zi of type σi. Let t be the term λz1 ··· zn.y. We know A∪{(∀ x.x 6= x), t 6= t} is Tr-refutable using the Closed 6= rule. The term t is of type σ and is admissible for the branch σ σ A ∪ {∀ x.x 6= x} since y has type ι or o. Hence the rule Forallr justifies that A ∪ {∀ x.x 6= x} is Tr-refutable. Definition 6.5. Let X be a finite set of variables. We define EX to be the branch S x∈X {(∃x.x = x), (x = x)}. Lemma 6.6. Let A be a branch and X be a finite set of variables such that X ∩ FV (A) = ∅. X If A ∪ E is Tr-refutable, then A is Tr-refutable. Proof. We prove this by induction on the number of variables in X. If X is empty, then the result is trivial since E∅ is empty. Suppose X is Y ∪ {x} where x∈ / Y . In this case EX is EY ∪ {(∃x.x = x), (x = x)}. Since x is not free in A ∪ EY ∪ {(∃x.x = x)} and A ∪ EX is Y Tr-refutable, we know A ∪ E ∪ {∃x.x = x} is Tr-refutable via the Exists rule. By Lemma 6.4 Y Y we also know A ∪ E ∪ {¬∃x.x = x} is Tr-refutable. By Cutr we know A ∪ E is Tr-refutable. Finally, we conclude A is Tr-refutable using the inductive hypothesis.

Now we are in a position to prove that if a branch is T -refutable, then it is Tr-refutable. The proof implicitly describes an algorithm for modifying a tableau refutation so that it only uses the restricted rules.

Proposition 6.7. If a branch A is T -refutable, then A is Tr-refutable. Proof. The proof is by induction on T -refutability. Suppose T -refutability of A follows from the step hA1,...,An,Ai in T where Ai is T -refutable for each i ∈ {1, . . . , n}. By the inductive hypothesis, we know Ai is Tr-refutable for each i ∈ {1, . . . , n}. If hA1,...,An,Ai is a step in Tr, then we are done. Otherwise, hA1,...,An,Ai must be a step in one of the Forall, Func=, or Cut rules and the new term used in the rule contains free variables not in A. We consider σ β the Forall rule; the others are similar. Suppose ∀ s ∈ A, n = 1 and A1 is A, dste . Let X be FV (t) \ FV (A). Clearly X is ﬁnite and X ∩ FV (A) = ∅. By weakening (Lemma 6.3) and β X Tr-refutability of A1, we know A, dste ∪ E is Tr-refutable. Clearly every free variable of t is β X X free in A, dste ∪ E . Hence, we can use the Forallr rule to conclude A ∪ E is Tr-refutable. By Lemma 6.6 we know A is Tr-refutable.

Corollary 6.8. The tableau calculus Tr is complete. Proof. This is a direct consequence of Proposition 6.7 and the completeness of T .

38 From Classical Extensional to Intuitionistic Intentional C. E. Brown, C. Rizkallah

We can now turn to the main part of the translation from restricted tableau refutations to ∗ natural deduction refutations. We prove that if A is Tr-refutable, then Ψ A is N -refutable. We can reduce this to a local property – the property of a rule being respected. Deﬁnition 6.9. We say a rule (a set of steps) is respected if the following holds for every step ∗ ˙ ∗ ˙ hA1,...,An,Ai in the rule: If Ψ Ai `N ⊥ holds for all i ∈ {1, . . . , n}, then Ψ A `N ⊥ holds.

We prove that every rule deﬁning Tr is respected. The fact that the rules are respected follows from the N -provability of certain formulas. We prove this for the rules Exists and Forallr in some detail. For the remaining rules we mainly give corresponding N -provable formulas.

Lemma 6.10. The Exists rule is respected. Proof. Let s be a term, A be a branch containing ∃σs, and x be a fresh variable. ∗ β ˙ ∗ ˙ Assume that Ψ (A ∪ {dsxe }) `N ⊥. We want to show that Ψ A `N ⊥. Note that if y occurs free in dsxeβ then

Ψ∗(A ∪ {dsxeβ}) = Ψ∗(A) ∪ {Ψ(dsxeβ)} ∪ {Rxx}, otherwise Ψ∗(A ∪ {dsxeβ}) = Ψ∗(A) ∪ {Ψ(dsxeβ)}. ∗ β ˙ In either case we know Ψ (A) ∪ {Ψ(dsxe )} ∪ {Rxx} `N ⊥ by assumption and possibly the wk rule. By Lemma 5.3 we know Ψ(dsxeβ) is β-equivalent to Ψ(sx), i.e., (Ψs)x. Using → I and β ∗ σ ˙ we have Ψ A `N R xx → (Ψs)x → ⊥. Since x∈ / FV (A) we can use ∀I to obtain ∗ σ σ ˙ Ψ A `N ∀ x.R xx → (Ψs)x → ⊥. ∗ ∗ ˙ σ Since ∃s ∈ A, we know Ψ(∃s) ∈ Ψ A and thus Ψ A `N ∃ (Ψs) by the hy rule. The following is easy to verify (for a Coq proof term see [18, 19]) : σo σ σ ˙ ˙ σ ˙ `N ∀ f.(∀ x.R xx → fx → ⊥) → (∃ f) → ⊥. ∗ ˙ Hence we have Ψ A `N ⊥ as desired.

The argument for the Forallr rule is similar. In this case we must make use of Theorem 5.15.

Lemma 6.11. The Forallr rule is respected. Proof. Let s be a term, A be a branch containing ∀σs, and t be a term admissible for A. Note that Ψ∗(A ∪ {dsteβ}) ⊆ Ψ∗(A) ∪ {Ψ(dsteβ)} ∪ {Rxx|x ∈ FV (t)}. By assumption and possibly the wk rule we know ∗ β ˙ Ψ (A) ∪ {Ψ(dste )} ∪ {Rxx|x ∈ FV (t)} `N ⊥. We know t is admissible. Thus for each x ∈ FV (t) either x ∈ FV (A) or x has the reﬂexive ∗ type ι or o. Hence for each x ∈ FV (t) we know Ψ A `N Rxx. Consequently, we have ∗ β ˙ Ψ (A) ∪ {Ψ(dste )} `N ⊥. Using Lemma 5.3 we know ∗ ˙ Ψ A `N (Ψs)(Ψt) → ⊥. Applying Theorem 5.15 we also have

∗ σ Ψ A `N ¬˙ ¬˙ R (Ψt)(Ψt).

39 From Classical Extensional to Intuitionistic Intentional C. E. Brown, C. Rizkallah

Closed: ∀op.p → (¬ ˙ p) → ⊥˙ Closed⊥: ⊥˙ → ⊥˙ Closed¬>: (¬ ˙ >˙ ) → ⊥˙ Closed6=: ∀σx.¬˙ ¬˙ (Rσxx) → ¬˙ (Rσxx) → ⊥˙ ClosedSym: ∀σxy.(Rσxy) → ¬˙ (Rσyx) → ⊥˙ o Cutr: ∀ p.(p → ⊥˙ ) → ((¬ ˙ p) → ⊥˙ ) → ⊥˙ DNeg: ∀op.(p → ⊥˙ ) → (¬ ˙ ¬˙ p) → ⊥˙ And: ∀p q.(p → q → ⊥˙ ) → (p∧˙ q) → ⊥˙ Or: ∀p q.(p → ⊥˙ ) → (q → ⊥˙ ) → (p∨˙ q) → ⊥˙ Imp: ∀op q.((¬ ˙ p) → ⊥˙ ) → (q → ⊥˙ ) → (p → q) → ⊥˙ NegAnd: ∀p q.((¬ ˙ p) → ⊥˙ ) → ((¬ ˙ q) → ⊥˙ ) → ¬˙ (p∧˙ q) → ⊥˙ NegOr: ∀p q.((¬ ˙ p) → (¬ ˙ q) → ⊥˙ ) → ¬˙ (p∨˙ q) → ⊥˙ NegImp: ∀op q.(p → (¬ ˙ q) → ⊥˙ ) → (¬ ˙ (p → q)) → ⊥˙ DeMorgan∀: ∀σ→of.((∃˙ σ(λx.¬˙ fx)) → ⊥˙ ) → (¬ ˙ (∀˙ σf)) → ⊥˙ DeMorgan∃: ∀σ→of.((∀˙ σ(λx.¬˙ fx)) → ⊥˙ ) → (¬ ˙ (∃˙ σf)) → ⊥˙ Bool=: ∀opq.(p → q → ⊥˙ ) → ((¬ ˙ p) → (¬ ˙ q) → ⊥˙ ) → (Ropq) → ⊥˙ BoolExt: ∀opq.(p → (¬ ˙ q) → ⊥˙ ) → (q → (¬ ˙ p) → ⊥˙ ) → ¬˙ (Ropq) → ⊥˙ FuncExt: ∀στ kh.¬˙ ¬˙ (Rστ hh) → (∀σx.(Rσxx) → ¬˙ (Rτ (kx)(hx)) → ⊥˙ ) → ¬˙ (Rστ kh) → ⊥˙ στ σ σ τ στ Func=r: ∀ kh.∀ t.¬˙ ¬˙ (R tt) → ((R (kt)(ht)) → ⊥˙ ) → (R kh) → ⊥˙ σ σ ...σ o σ σ σ σ σ ...σ o Mat: ∀ 1 2 n p.∀ 1 x1y1.∀ 2 x2y2.....∀ n xnyn.¬˙ ¬˙ (R 1 2 n pp) → σ σ σ (¬ ˙ (R 1 x1y1) → ⊥˙ ) → (¬ ˙ (R 2 x2y2) → ⊥˙ ) → · · · → (¬ ˙ (R n xnyn) → ⊥˙ ) →

px1x2 . . . xn → ¬˙ (py1y2 . . . yn) → ⊥˙ σ σ ...σ ι σ σ σ σ σ ...σ ι Dec: ∀ 1 2 n h.∀ 1 x1y1.∀ 2 x2y2.....∀ n xnyn.¬˙ ¬˙ (R 1 2 n hh) → σ σ σ (¬ ˙ (R 1 x1y1) → ⊥˙ ) → (¬ ˙ (R 2 x2y2) → ⊥˙ ) → · · · → (¬ ˙ (R n xnyn) → ⊥˙ ) → ι ¬˙ (R (hx1x2 . . . xn)(hy1y2 . . . yn)) → ⊥˙

Con: ∀ιxyzw.(¬ ˙ (Rιxz) → ¬˙ (Rιyz) → ⊥˙ ) → (¬ ˙ (Rιxw) → ¬˙ (Rιyw) → ⊥˙ ) → (Rιxy) → ¬˙ (Rιzw) → ⊥˙

Figure 4: Formulas provable in N used in the proof of Lemma 6.12

∗ ∗ ˙ σ Since ∀s ∈ A, we know Ψ(∀s) ∈ Ψ A thus Ψ A `N ∀ (Ψs) by the hy rule. The following is easy to verify (for a Coq proof term see [18, 19]) :

σo σ σ ˙ ˙ σ ˙ `N ∀ f.∀ x.¬˙ ¬˙ R xx → (fx → ⊥) → (∀ f) → ⊥

∗ ˙ Hence we have Ψ A `N ⊥ as desired. The proofs of Lemmas 6.10 and 6.11 illustrate how one proves that a rule is respected. For the remaining rules we will simply indicate the formulas whose N -provability implies the rule is respected.

Lemma 6.12. All of the rules in Tr are respected.

Proof. We have already proven this for Exist in Lemma 6.10 and Forallr in Lemma 6.11. For the remaining rules one can argue similarly making use of formulas which are provable in N and correspond to the structure of the rule. We display formulas corresponding to the remaining

40 From Classical Extensional to Intuitionistic Intentional C. E. Brown, C. Rizkallah rules in Figure 4. Proof terms (in Coq) for these formulas are available in [18, 19] with the exception of the lemmas for Mat and Dec. The lemmas for Mat and Dec have been formulated and proven in Coq for the cases with 1 and 2 arguments.

∗ Proposition 6.13. If A is Tr-refutable, then Ψ A is N -refutable.

Proof. The proof is by an easy induction on the Tr-refutation using Lemma 6.12 at each step. We ﬁnally conclude similar results for T -refutability. Theorem 6.14. If A is T -refutable, then Ψ∗A is N -refutable. Also, if s is a ground formula and s is T -refutable, then Ψs is N -refutable. Proof. This follows from Propositions 6.7 and 6.13. We can also conclude the following using Theorem 6.14 and Corollary 5.8.

Corollary 6.15. Let s be a formula such that FV (s) = {x1, . . . , xn}. If s is T -provable, then s ≈ (x1 ˙=x1 → · · · → xn ˙=xn → ¬˙ ¬˙ Ψs) and (x1 ˙=x1 → · · · → xn ˙=xn → ¬˙ ¬˙ Ψs) is N -provable.

7 Conclusion

Given a higher-order formula s and a classical extensional tableau proof of s, our aim was to find a formula s0 that is semantically equivalent to s and construct an intuitionistic intentional 0 natural deduction proof of s . We defined two tableau calculi T and Tr and proved that whenever a branch is T -refutable, it is also Tr-refutable (Proposition 6.7). Moreover, we gave a translation Ψ and proved that it maps higher-order formulas to semantically equivalent formulas in the sense of Henkin semantics (Theorem 5.7). Furthermore, we defined a branch translation ∗ ∗ Ψ that maps branches to contexts and proved that for any Tr-refutable branch A, Ψ A is N -refutable (Proposition 6.13). We concluded that for any T -provable formula s with free variables x1, . . . , xn, the formula

Ψ(x1 = x1) → · · · → Ψ(xn = xn) → Ψ(¬¬s) is semantically equivalent to s and is N -provable (Corollary 6.15). Hence for any ground formula s that is T -provable, Ψ(¬¬s) is N -provable. Several issues are still open for future work. One may want to determine the precise re- lationship between our translation Ψ and the translation given by Gandy [9]. One could also investigate to what extent the translation can be extended to handle a choice operator. A choice operator is a logical constant εσ :(σo)σ satisfying ∀p : σo.∀x : σ.px → p(εσp). Such operators are supported by Satallax. To extend the translation in this paper to handle εσ one would need to ﬁnd a term Ψεσ satisfying σ σ `N Ψ(¬¬(ε = ε )) and σ `N Ψ(¬¬∀p : σo.∀x : σ.px → p(ε p)). This will not generally be possible, but might be possible in special situations. For example, one might restrict to having the choice operator only at the base type ι and assume that the base type ι is ﬁnite. On the more practical side, one can implement a mapping from tableau proofs to natural deduction proof terms. This would enable proof checking the tableau proofs that Satallax outputs using Coq. This implementation could make use of the Coq lemmas that are provided in [18, 19].

41 From Classical Extensional to Intuitionistic Intentional C. E. Brown, C. Rizkallah

References

[1] C. Benzmüller, C. E. Brown, and M. Kohlhase. Higher-order semantics and extensionality. Journal of Symbolic Logic, 69:1027–1088, 2004. [2] C. Benzmüller, L. Paulson, F. Theiss, and A. Fietzke. LEO-II — A cooperative automatic theorem prover for classical higher-order logic. In Fourth International Joint Conference on Automated Reasoning (IJCAR’08), volume 5195 of LNCS (LNAI), pages 162–170. Springer, 2008. [3] Y. Bertot and P. Castéran. Interactive Theorem Proving and Program Development. Coq’Art: The Calculus of Inductive Constructions. Texts in Theoretical Computer Science. An EATCS Series. Springer, 2004. [4] C. E. Brown. Satallax: An automated higher-order prover. In U. S. Bernhard Gramlich, Dale Miller, editor, 6th International Joint Conference on Automated Reasoning (IJCAR 2012), pages 111 – 117. Springer, 2012. [5] C. E. Brown and C. Rizkallah. Glivenko and Kuroda for simple type theory. Technical report, Saarland University, Dec 2011. Article to be published in Journal of Symbolic Logic. [6] C. E. Brown and G. Smolka. Analytic tableaux for simple type theory and its ﬁrst-order fragment. Logical Methods in Computer Science, 6(2), Jun 2010. [7] A. Church. A formulation of the simple theory of types. Journal of Symbolic Logic, 5(1):56–68, 1940. [8] N. G. de Bruijn. A survey of the project AUTOMATH. In J. P. Seldin and J. R. Hindley, editors, To H. B. Curry: Essays on Combinatory Logic, Lambda Calculus, and Formalism, pages 579–606. Academic Press, 1980. [9] R. O. Gandy. On the axiom of extensionality–part I. Journal of Symbolic Logic, 21(1):36–48, 1956. [10] G. Gentzen. Untersuchungen über das natürliche Schließen I, II. Mathematische Zeitschrift, 39:176–210, 405–431, 1935. [11] V. Glivenko. Sur quelques points de la logique de M. Brouwer. Bulletins de la classe des sciences, 15:183–188, 1929. [12] L. Henkin. Completeness in the theory of types. Journal of Symbolic Logic, 15(2):81–91, June 1950. [13] W. A. Howard. The formula-as-types notion of construction. In J. P. Seldin and J. R. Hindley, editors, To H. B. Curry: Essays on Combinatory Logic, Lambda Calculus and Formalism, pages 480–490. Academic Press, 1980. [14] S. Kuroda. Intuitionistische Untersuchungen der formalistischen Logik. Nagoya Mathematical Journal, 2:35–47, 1951. [15] The Coq development team. The Coq proof assistant reference manual. LogiCal Project, 2004. Version 8.0. [16] T. Nipkow, L. C. Paulson, and M. Wenzel. Isabelle/HOL — A Proof Assistant for Higher-Order Logic, volume 2283 of LNCS. Springer, 2002. [17] D. Prawitz. Natural deduction: a proof-theoretical study. PhD thesis, Almqvist & Wiksell, 1965. [18] C. Rizkallah. Proof representations for higher-order logic. Master’s thesis, Saarland University, Saarbruecken, Germany, Dec 2009. [19] C. Rizkallah. Proof representations for higher-order logic: Coq proofs, 2009. http://www.mpi-inf. mpg.de/~crizkall/Full_Tableau_ND_Translation.v. [20] A. Teucke. Translating a Satallax refutation to a tableau refutation encoded in Coq. Bachelor’s thesis, Universität des Saarlandes, 2011.